Mail.ru 
Building the Internet since 1998 


https://corp.mail.ru - @mailru 


Reports resolved Assets in scope Average bounty 
4555 22 $200-$300 
Bug Bounty Program 
Launched on Apr 2014 


Includes retesting @ Bounty splitting enabled () 


B => i 
newal’das 

Low Medium High Critical 
$150 $3,000 $20,000 $60,000 


Bounties above are maximum values for the Main program scope. Below is more detailed table. 


Accepted languages: 
28 English 
= PyccKuV 


All amounts are for reference purposes only. Reward applicability and reward amount may depend on 


problem severity, novelty, exploitation probability , environmental and other factors. Reward decision is 


made by Mail.Ru security team for each report individually. 


Mail.ru authentication center, mail, messaging, cloud services, portal, content and 


news projects: 


. $15000 
Remote code execution (RCE) $40000 $15000 $15000 
/$2500* 


Injections (SQLi or equivalent) $30000 $10000 $10000 $10000 


~ 


$30000 


$20000 


Iil 





Local files access and manipulation (LFR, RFI, 
XXE) without jail/chroot/file type 


restrictions 


RCE in dev. infrastructure / isolated or 
virtualized single-purpose process (e.g. 


image conversion) 


SSRF, non-blind (with ability to read reply 


text), except dedicated proxies 
SSRF, blind, except dedicated proxies 


Serverside vulnerability with information 
disclosure (e.g. memory Leaks / IDORs) of 
application critical or highly confidential data 
(e.g. sessions, accounts, passwords, credit 


cards, e-mail messages) 


Serverside vulnerability with information 
disclosure (e.g. memory Leaks / IDORs) of 
protected personal data or sensitive client 


information 


Serverside vulnerability with information 
disclosure (e.g. memory Leaks / IDORs) of 
sensitive application or infrastructure data / 
role privilege escalation within organization / 
insecure installation of maintained VM image 


or software package (MCS)** 


Admin / support interface authentication 


bypass 


Admin / support interface blind XSS 


Cross-Site Scripting (XSS) on e-mail reading 


via message content (except AMP) 


Cross-Site Scripting (XSS) *** 


$30000 


$7500 


$10000 


$2000 


$12500 


$7500 


$1000 


$7500 


$3000 
$2000 


$2000 


$1000 


$10000 


$5000/$1000* 


$5000 


$2000 


$10000 


$5000 


$100 - $5000 


$5000 


$2000 


$0 


$1000 


$10000 


$5000 


$5000 


$2000 


$10000 


$5000 


$100 - 
$5000 


$3000 


$2000 


$0 


$500 


$10000 


$5000 


$5000 


$2000 


$10000 


$5000 


$100 - 
$5000 


$3000 


$2000 


$0 


$1000 / 
$0 / 


$20000 


$10000 


$10000 


$1500 


$15000 


$6000 


$150 - 
$6000 


$5000 


$3000 


$0 


$0 


$150 - 


$1000 / 
Cross-Site Request Forgery (CSRF, Flash $150 - $150 - 
i _ $150 - $1000 $0/$0- $0 
crossdomain requests) $1000 $500 
$250 
KKK K 
Mobile application local account 
H $1000 $0 $0 $1000 $0 
compromise or full data access 
Remote DoS against mobile or desktop $300 / 

a. . $0 $0 $0 $0 
application (persistent/non persistent) $150 
SDC***** technique bypass for critical 

a $1500 $0 $0 $0 $0 


projects 


* standart remote code execution (RCE) / remote code execution (RCE) using vulnerabilities in open 
source third-party components (including Open Stack) 

** verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc 
are not considered as sensitive, reports like these are usually accepted without bounty. Software version 
disclosure reports are not accepted. 

*** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 
proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 
under same severity / conditions as parent domain XSS. 

**** bounty for ICQ Web Client /ICQ Web API Sandbox / ICQ Web Portal 

**EEX SDC is explained here, reports are accepted for SDC-aware domains with critical data 
(e/m/tel[touch|light/cloud/calendar|biz).mail.ru. SDC bypass is direct or indirect (through SDC-anaware 
domain) access to product-specific API of these projects without valid sdc/sdcs cookie without access to 
auth.mail.ru ssdc cookie or valid user's credentials. SDC is web based, attacks via e.g. mobile applications 


are not considered. 
Vulnerabilities in Android applications are also eligible for Google Play Bug Bounty. 


O20 services 


Citymobil * 
$300 
Remote code execution (RCE) $25000 $8000 - 
$3000 
$150 
Injections (SQLi or equivalent) $22000 $5000 - 


$1500 


type restrictions) 


RCE in dev. infrastructure / isolated or virtualized single-purpose process 


(e.g. image conversion) 


SSRF, non-blind (with ability to read reply text), except dedicated proxies 


SSRF, blind, except dedicated proxies 


Serverside vulnerability with information disclosure (e.g. memory Leaks / 
IDORs) of application critical or highly confidential data (e.g. sessions, 


accounts, passwords, credit cards, e-mail messages) 


Serverside vulnerability with information disclosure (e.g. memory Leaks / 


IDORs) of protected personal data or sensitive client information 


Serverside vulnerability with information disclosure (e.g. memory Leaks / 
IDORs) of sensitive application or sensitive infrastructure data / role privilege 


escalation within organization ** 
Admin / support interface authentication bypass 
Admin / support interface blind XSS 


Cross-Site Scripting (XSS) *** 


Cross-Site Request Forgery (CSRF, Flash crossdomain requests) 


Mobile application local account compromise or full data access 


$22000 


$12000 


$12000 


$2000 


$18000 


$12000 


$150 - 


$12000 


$8000 
$4000 


$0-300 


$150 - 
300 


$300 


$5000 


$4000 


$2000 


$750 


$3000 


$1500 


$1000 
$150 


$100 


$150 


$150 


$0 


$0 


* Tier 1 include preauthentication vulnerabilities and vulnerabilities in public Citimobil interfaces and 


applications. Tier 2 include post-authentication vulnerabilities in city-srv.ru, "taxiserv", "fleet", 


“corporate”, “delivery” and driver api. Tier 3 include vulnerabilities in supwork.city-mobil.ru, naumen- 


test.city-mobil.ru and naumen.city-mobil.ru. 


** verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc 


are not considered as sensitive, reports like these are usually accepted without bounty. Software version 


disclosure reports are not accepted. 


*** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 


proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 


under same severity / conditions as parent domain XSS. 


Remote code execution (RCE) $65000 $40000 $25000 
Injections (SQLi or equivalent) $55000 $30000 $23000 
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file 
a $55000 $30000 $23000 
type restrictions) 
RCE in dev. infrastructure / isolated or virtualized single-purpose process 
. . $45000 $20000 $23000 
(e.g. image conversion) 
i: $35000 
SSRF, non-blind (with ability to read reply text), except dedicated proxies $35000 $10000 $23000 
SSRF, blind, except dedicated proxies $25000 $2000 $20000 
Serverside vulnerability with information disclosure (e.g. memory Leaks / 
IDORs) of application critical or highly confidential data (e.g. sessions, $45000 $1500 $22000 
accounts, passwords, credit cards, e-mail messages) 
Serverside vulnerability with information disclosure (e.g. memory Leaks / 
m a . $40000 $400 $20000 
IDORs) of protected personal data or sensitive client information 
Serverside vulnerability with information disclosure (e.g. memory Leaks / $150 $0 $0 
IDORs) of sensitive application or sensitive infrastructure data / role 
np . RP MRE $40000 $400 $20000 
privilege escalation within organization ** 
Admin / support interface authentication bypass $30000 $500 $0 
Admin / support interface blind XSS $18000 $300 $0-$300 
Cross-Site Scripting (XSS) *** $3500 $150 $0 
Cross-Site Request F (CSRF, Flash crossdomai ts) $150- $100- so 
ross-Site Request Forger , Flash crossdomain requests 
i A i $3500 $150 
Mobile application local account compromise or full data access $300 $150 $0 


* Tier 1 include preauthentication vulnerabilities and vulnerabilities in public Delivery Club interfaces and 
applications. Tier 2 include preauthentication vulnerabilities and vulnerabilities in public ZakaZaka 
interfaces and applications. Tier 3 include , post-authentication vulnerabilities in 
Delivery Club interfaces, post-authentication vulnerabilities in ZakaZaka interfaces, vulnerabilities in 
applications for couriers and restaurants. 

** verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc 
are not considered as sensitive, reports like these are usually accepted without bounty. Software version 
disclosure reports are not accepted. 

*** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 
proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 


under same severity / conditions as parent domain XSS. 


Remote code execution (RCE) $1000 $12000 $4500 
Injections (SQLi or equivalent) $500 $6000 $3000 
Local files access and manipulation (LFR, RFI, XXE) without 
as _ $500 $6000 $3000 
jail/chroot/file type restrictions) 
RCE in dev. infrastructure / isolated or virtualized single- 
l $500 $4000 $2000 
purpose process (e.g. image conversion) 
SSRF, non-blind (with ability to read reply text), except 
| | > py P $500 $4800 $2500 
dedicated proxies 
SSRF, blind, except dedicated proxies $0 $1000 $750 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of application critical or highl 
4 . a Ai _ $500 $6000 $2750 
confidential data (e.g. sessions, accounts, passwords, credit 
cards, e-mail messages) 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of protected personal data or $250 $1600 $750 
sensitive client information 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of sensitive application or sensitive $0 - 
d n PP ae $0 - $250 $0 - $750 
infrastructure data / role privilege escalation within $1600 
organization * 
Admin / support interface authentication bypass $250 $2000 $1000 
Admin / support interface blind XSS $150 $600 $500 
Cross-Site Scripting (XSS) ** $0 $0 $200 
Cross-Site Request Forgery (CSRF, Flash crossdomain 
i -a $0 $0 $200 
requests) 
Mobile application local account compromise or full data 
jj P $0 $0 $0 


access 


* verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc are 
not considered as sensitive, reports like these are usually accepted without bounty. Software version 
disclosure reports are not accepted. 

** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 
proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 


under same severity / conditions as parent domain XSS. 


Remote code execution (RCE) $20000 $3000 
Injections (SQLi or equivalent) $10000 $1500 


Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type 
— $10000 $1500 
restrictions 


RCE in dev. infrastructure / isolated or virtualized single-purpose process (e.g. 
. i $7500 $1000 
image conversion) 


SSRF, non-blind (with ability to read reply text), except dedicated proxies $4000 $1200 
SSRF, blind, except dedicated proxies $1000 $250 


Serverside vulnerability with information disclosure (e.g. memory Leaks / 
IDORs) of application critical or highly confidential data (e.g. sessions, $10000 $1500 


accounts, passwords, credit cards, e-mail messages) 


Serverside vulnerability with information disclosure (e.g. memory Leaks / $5000 $400 
IDORs) of protected personal data or sensitive client information 


Serverside vulnerability with information disclosure (e.g. memory Leaks / $0 - $0 - $400 
IDORs) of sensitive application or infrastructure data * $5000 
Admin / support interface authentication bypass $3000 $500 
Admin / support interface blind XSS $1500 $150 
Cross-Site Scripting (XSS) ** $200 $0 

l l $100 - 
Cross-Site Request Forgery (CSRF, Flash crossdomain requests) $200 $0 


* verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc are 
not considered as sensitive, reports like these are usually accepted without bounty. Software version 
disclosure reports are not accepted. 

** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 
proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 


under same severity / conditions as parent domain XSS. 


Educational services 


Uchi scope only awards critical serverside vulnerabilities, if vulnerability compromises the infrastructure 
(e.g. RCE, SQLi, LFR, SSRF, etc) or compromises data outside of project's scope (e.g. personal 


information) via serverside vector. 


expiration, cookies working after logout etc are not accepted unless there are additional vectors identified 


(e.g. ability to steal the session token via remote vector for open redirection). 


Remote code execution (RCE) $1000 
Injections (SQLi or equivalent) $500 
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type restrictions $500 


RCE in dev. infrastructure / isolated or virtualized single-purpose process (e.g. image 


$500 
conversion) 
SSRF, non-blind (with ability to read reply text), except dedicated proxies $500 
SSRF, blind, except dedicated proxies $0 
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of 
application critical or highly confidential data (e.g. sessions, accounts, passwords, credit $500 
cards, e-mail messages) 
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of $250 
protected personal data or sensitive client information 
Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive $0-$250 
application or infrastructure data * 
Admin / support interface authentication bypass $250 
Admin / support interface blind XSS $150 


* verbose error outputs, local installation path disclosure, phpinfo() output, etc are not considered as 
sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are 


not accepted. 


Food services 


In Food services scopes only awards critical serverside vulnerabilities, if vulnerability compromises the 
infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or data outside of project's scope (e.g. personal 


information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations 
within the product are accepted without bounty. 

MitM and local attacks, user enumeration on registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted unless there are additional vectors identified 


(e.g. ability to steal the session token via remote vector for open redirection). 


Remote code execution (RCE) $1500 $750 $1000 
Injections (SQLi or equivalent) $750 $400 $500 
Local files access and manipulation (LFR, RFI, XXE) without 
= Spe $750 $400 $500 
jail/chroot/file type restrictions) 
RCE in dev. infrastructure / isolated or virtualized single- 
l l $500 $250 $500 
purpose process (e.g. image conversion) 
SSRF, non-blind (with ability to read reply text), except 
| | > ii i $600 $300 $500 
dedicated proxies 
SSRF, blind, except dedicated proxies $250 $150 $0 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of application critical or highl 
Á . . a T l $750 $400 $500 
confidential data (e.g. sessions, accounts, passwords, credit 
cards, e-mail messages) 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of protected personal data or sensitive $400 $200 $250 
client information 
Serverside vulnerability with information disclosure (e.g. 
memory Leaks / IDORs) of sensitive application or sensitive 
as S ene $0-$400 $0-$200 $0-$250 
infrastructure data / role privilege escalation within 
organization * 
Admin / support interface authentication bypass $500 $500 $250 
Admin / support interface blind XSS $150 $100 $150 
Cross-Site Scripting (XSS) ** $0 $0 $0 
Cross-Site Request Forgery (CSRF, Flash crossdomain 
Í r $0 $0 $0 
requests) 
Mobile application local account compromise or full data 
kj P $0 $0 $0 


access 


* verbose error outputs, local installation path disclosure, phpinfo() output, performance counters, etc are 
not considered as sensitive, reports like these are usually accepted without bounty. Software version 
disclosure reports are not accepted. 

** self-XSS, XSS specific to non-common browsers (e.g. IE), blocked by CSP and another vectors without 
proven script execution are usually accepted without bounty. Unused subdomain takeover is considered 


under same severity / conditions as parent domain XSS. 


Extended scope 


Clientside vulnerabilities (XSS, CSRF) and business logic specific bugs, including privilege escalations 
within the product are accepted without bounty. 
MitM and local attacks, user enumeration on registration/recovery, insufficient session expiration, cookies 


working after logout etc are not accepted unless additional impact is identified 


$200 
Remote code execution (RCE) $30000 $8000 - 
$1000 
$150 
Injections (SQLi or equivalent) $20000 $4000 - 
$500 
À . . = $150 
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file 
i _ $20000 $4000 - 
e restrictions 
ii $500 
l l o $150 
RCE in dev. infrastructure / isolated or virtualized single-purpose process 
eai ion) $10000 $2000 - 
e.g. image conversion 
E $500 
l r , l $0 - 
SSRF, non-lind (with ability to read reply text), except dedicated proxies $10000 $2000 $500 
SSRF, blind, except dedicated proxies $1500 $500 $0 
Serverside vulnerability with information disclosure (e.g. memory Leaks / $150 
IDORs) of application critical or highly confidential data (e.g. sessions, $15000 $3000 - 
accounts, passwords, credit cards, e-mail messages) $500 
l eee SDE $150 
Serverside vulnerability with information disclosure (e.g. memory Leaks / $6000 $800 
IDORs) of protected personal data or sensitive client information $500 
Serverside vulnerability with information disclosure (e.g. memory Leaks / $150- $0- $0 - 
IDORs) of sensitive application or infrastructure data * $6000 $800 $500 
— $0 - 
Admin / support interface authentication bypass $5000 $1000 $250 
Admin / support interface blind XSS $3000 $500 $0 


* verbose error outputs, local installation path disclosure, phpinfo() output, etc are not considered as 
sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are 


not accepted. 


Project 
Corporate website 
RB Mail 
Rating 
Money 
Terra bank 
Combo 
Notify 

Blog 

Youla 

Check fines 
Help 
Target 


Tracker 


Ext. B Projects 


Domain 


corp.mail.ru 


rb.mail.ru 


top.mail.ru 


money.mail.ru 


tbank.mail.ru 


combo.mail.ru 


apinotify.mail.ru 


blog.mail.ru 


youla.ru |, 


am. ru 


gibdd.mail.ru 


help.mail.ru 


target.my.com 


tracker.my.com 


Extended B scope has a projects table for helping you search vulnerabilities. 


Project 


Boosty 


Education service geekbrains 


33 Elephants 
All Cups 
Warface 
Hustle Castle 
Left of Survive 


Zero City 


Domain 


boosty.to 


gb.ru 


33slona.ru 


cups.mail.ru 


warface.com 


hc.my.games 


Its.my.com 


zc.my.games 


Lost Ark 

Skyforge 

Space Justice 

Crossfire 

Allods 

Evolution 2: Battle for Utopia 
Perfect World 

Juggernauts Wars 

Jungle Heat 

MGVC 

Player One 

IT Territory 

Pushkin Studio 

Allods Team 

Studio Nord 

VK Work * vkrabota.ru ) (including ( *.worki.ru ) and (* 
Whalekit 

BIT.GAMES 

Armata armata.my.games 
Online .Net Development Championship 


Warface 


Atom browser 


We want to get high quality reports, so we have 2 different reward categories: 
Cat 1. High quality report with PoC 


Cat 2. Basic report with description or PoC without description 


Renderer Remote Code Execution $6000 $2500 
Universal XSS (SOP bypass) $4000 $1500 
Vulnerability in built-in Extensions $1500 $500 


Memory corruption without proof of impact $500-$2000 $0 


Information Leak $200-$1000 $0 


DoS (NULL pointer dereference, infinite loop, stack overflow, OOM) $0 $0 


Pixonic 


Pixonic scope only awards critical serverside and application vulnerabilities, if vulnerability compromises 


the infrastructure (e.g. RCE, SQLi, LFR, SSRF, etc) or compromises data outside of project's scope (e.g. 


personal information) via serverside vector. 


Remote code execution (RCE) 
Injections (SQLi or equivalent) 
Local files access and manipulation (LFR, RFI, XXE) without jail/chroot/file type restrictions 


RCE in dev. infrastructure / isolated or virtualized single-purpose process (e.g. image 


conversion) 
SSRF, non-blind (with ability to read reply text), except dedicated proxies 
SSRF, blind, except dedicated proxies 


Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of 
application critical or highly confidential data (e.g. sessions, accounts, passwords, credit 


cards, e-mail messages) 


Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of 


protected personal data or sensitive client information 


Serverside vulnerability with information disclosure (e.g. memory Leaks / IDORs) of sensitive 


application or infrastructure data * 
Admin / support interface authentication bypass 
Admin / support interface blind XSS 


Mobile application local account compromise or full data access 


$8000 
$4000 


$4000 


$2000 


$2000 


$500 


$3000 


$800 


$0-$800 


$1000 
$500 


$1000 


j o ` l $150 


* verbose error outputs, local installation path disclosure, phpinfo() output, etc are not considered as 


sensitive, reports like these are usually accepted without bounty. Software version disclosure reports are 


not accepted. 


Last updated on November 25, 2021. View changes 





Scope rules 


The program's scope is limited to technical vulnerabilities in the company's critical web services or 
mobile apps. To report problems accessing your account or non-security issues, please contact 
customers support. 


A list of the projects can be found here: 
Mail.Ru: https://mail.ru/all 
My.Com: https://my.com/ 


We will not pay a reward (and we will be really upset) if we detect: 


e Physical tampering with Mail.Ru Group's data centers or offices 

e Social engineering directed at the company's employees 

e Breaking into the company's infrastructure and using the information obtained to report vulnerabilities 

e Attempt to access arbitrary user's account or data or another vulnerability post-exploitation not 
required to demonstrate the bug presence 

e Distributed network/request flooding and another resources exhaustion attacks. Automated scanning 
tools must be limited to 5 request per second (300 requests per minute) to one target host summing up 
all tools and threads running in parallel and must not exceed 5 parallel requests at the same time (5 
threads). 


Please use your own accounts, phone numbers, etc to conduct your research. Do not try to gain access to 


others’ accounts or any confidential information. 


Re-active protection 


Remember you are testing production environment which is being used, supported and monitored. To 
prevent negative reaction, conduct your research in responsible, less intrusive way and reasonably limit 
impact from your tests for users, moderators and administrators. 

Aggressive security scans and tests may trigger alerts and result in re-active measures being enforced, 
e.g. account, phone number or IP may be blocked. Automated abuse reporting tools are not used by 
Mail.ru, but in some cases, if attack resembles the real intrusion attempt manual abuse report may be sent 
by administrator. 

We believe moderation and monitoring processes must not be impacted by bug bounty and security team 


does not interfere with moderation and abuse reporting decisions for individual cases. 


OT E A eG ge ge IR ete ae ee ge gy ee E E aM ee Ee ety we E e Cate oe SS 


If you do not describe the vulnerability in sufficient detail, the discovery process is significantly prolonged 
and that doesn't help anybody. It's also very desirable if researcher can explain how exactly he or she found 


a given vulnerability. 


How are bug reports examined? 


Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst 


case exploitation of the vulnerability, as is the reward we pay. 


Reports are reviewed within 15 days (this is a maximum period - we'll probably respond sooner). 


If you prefer to remain anonymous, we recommend using an alias when submitting bug reports. 


Participating reports 


Only reports reported via bug bounty platform interface may be considered for a bounty. A date/time of 


report on bug bounty platform is considered as a date/time of the report. 


Duplicate reports 


Different exploitation vectors for the same bug or similar bugs may be considered duplicating if security 
team believes information provided for a single vector/bug is enough to fix all vectors or bugs reported. 
Report for known or duplicating vulnerability is considered as Duplicate. Duplicate report is not eligible for 
monetary reward. Report can be either a duplicate of another report from any bug bounty platform ora 
duplicate of the problem internally tracked by Mail.Ru security team. Usually, access to original report or 
some information from internal task tracker is provided to reporter of Duplicate. In some cases 
information may not be provided, if a Duplicate contains less information or less critical exploitation 
vector than original report. 

The report is considered as a duplicated to another report from any bug bounty platform, if there is original 
report is in "New" or "Triaged" state with an earlier report date/time or lower report number of if it updates 
the report in "N/A" or "Need more info" state and original report is in "N/A" or "Need more info" state for 
less than 1 week or sufficient information is provided in original report by researcher since the report is 
transferred to "N/A" or "Need more info" state. 

The report is considered as a duplicate to internal task if there is a task in internal task tracker which is 


tracked by Mail.Ru security team on the time of the duplicate report. 


Also, public O-day/1-day vulnerabilities may be considered as a duplicate within few days after vulnerability 
details publication, if vulnerability is known to our team from public sources and we are working to mitigate 


or patch it. 


Invalid reports 


Report in "N/A" or "Need more info" state which is stale in this state for more than a week without 


sufficient new information provided is considered as invalid and does not participate in bug bounty. 


Reward payment 


We will pay you a reward if you are the first person to report a given vulnerability. 


Payments are made through HackerOne. 


Vulnerability disclosure 


Vulnerability must be disclosed only with accordance with bug bounty platform disclosure policy. 
Request for vulnerability disclosure must be submitted via bug bounty platform report interface. We 
usually disclosure reports within 4 weeks after disclosure request or fixing time, but we can request up to 3 
months of additional time before vulnerability details are published. This time is required to distribute the 
fixed version and check it for regressions. 

No vulnerability disclosure, including partial is allowed before vulnerability is disclosed on bug bounty 
platform. 

If any sensitive information including (but not limited to) infrastructure and implementation details, 
internal documentation procedures and interfaces, source code, user and employees data accidentally 
obtained during vulnerability research or demonstration must not be disclosed. Intentional access to this 
information is strongly prohibited. 

Mail.ru does not disclosure and do not grant you any rights to disclosure vulnerabilities in 3rd party 


products or services, unless these rights are explicitly given to you by affected 3rd party. 


Last updated on May 23, 2021. View changes 


In Scope 


Ext. O: Acquisitions, not integrated to Mail.Ru 


infrastructure and external cloud services 

This scope covers services and products related or operated by 
Mail.ru but hosted outside of Mail.ru infrastructure: fresh and non- 
integrated acquisitions not mentioned for different scopes, 
different cloud services and externally hosted solutions. It also 
covers non-production hosts (e.g. staging and demo installations) 
of Mail.ru projects in MCS cloud hosting. 


Extended scope only awards critical serverside vulnerabilities, if 


Critical 


vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
Other @ Eligible 


SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection) 


ther 


ther 


ther 


services. 


Mail.Ru Cloud Solutions (MCS) 

l except customer-operated 
hosts in MCS Hosting networks, delegated and externally hosted 
domains and branded partner services. 


IMPORTANT: We can change the reward in this scope if 
researcher uses Oday in openstack to exploit the vulnerability in 


Critical 


report. 


Reports for customer introduced vulnerabilities in MCS Hosting 
networks belong to Hosting Scope and are considered as 
informative. 


Main Scope 

Mail.ru Mail for iOS, Mail.ru Mail for Android, Mail.ru Cloud for iOS, 

Disk-o Cloud application, Mail.ru Cloud for Android, Mail.ru 

Calendar for Android, Kog Lloctyna Mail.Ru for Android, Kog 

DocTtyna Mail.Ru for iOS , MyMail for iOS, MyMail for Android, 
(without subdomains), : 


Critical 


! except delegated and 
externally hosted domains and branded partner services. 


Bugs common for both Mail.Ru and MyMail application / 
serverside are usually accepted as a single bug. 


Ext. A Scope Critical 
Productivity, e-commerce, B2B projects at , 


and some dedicated project domains, including 


except delegated and externally hosted 


domains and branded partner services. 


Extended scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 

MitM and local attacks, user enumeration on 


@ Eligible 


@ Eligible 


@ Eligible 


ther 


ther 


ther 


Ext. B Scope 

Gaming, entertainment, recruitment, educational services and 

unlisted projects ! 

unlisted in different scopes and dedicated project domains 

( À l ; ; 
i and game domains within Mail.Ru 

infrastructure) except delegated domains, externally hosted 

projects, acquirements not integrated to Mail.Ru infrastructure 

and branded partner services. Reports for user introduced 

vulnerabilities in hosted systems or hosted student projects are 

considered as informative. 


Extended scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection). 


Delivery Club 

Delivery Club and ZakaZaka applications, ' 
except delegated and externally hosted domains 

and branded partner services. 


ICQ 

ICQ web client: 

ICQ web portal: l l 

ICQ API Sandbox: (ICQ API relies on tokens rather than 
cookies and HTTP auth and is generally resistant to crossite 
attacks, check the real impact for crossite access before 
reporting). 

ICQ Application (mobile): ICQ for Android, ICQ for IOS. Reports 
for Mail.Ru Agent are only accepted if the report is specific to this 
branded version. 

ICQ Application (desktop): ICQ for Mac, ICQ for Windows, Source 
code (source code is not published with every ICQ version and 
may contain vulnerabilities already patched in version distributed 
via ICQ site. Only reports for vulnerabilities in latest version 
distributed via the ICQ site are accepted). 

Mail.Ru Agent and MyTeam are derived from ICQ code. Reports 
for these messengers are only accepted if vulnerability is 


Critical @ Eligible 


Critical © Eligible 


Critical © Eligible 


ther 


ther 


ther 


MY.GAMES App for Android, MY.GAMES App for iOS and 
MY.GAMES core services: (without subdomains), 


Critical 
Game subdomains do not belong to this scope. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection). 


DonationAlerts 
except delegated 
and externally hosted domains and branded partner services. 


MitM and local attacks, user enumeration on Critical 
registration/recovery, open redirections, insufficient session 

expiration, cookies working after logout etc are not accepted 

unless there are additional vectors identified (e.g. ability to steal 

the session token via remote vector for open redirection). 


Foodplex Critical 
Foodplex applications, ' , 
l , except delegated 


and externally hosted domains and branded partner services. 


We accept reports on if they belong to 
patern. Open port reports on 
are only accepted if they contain 


sensitive information. 


API endpoints are externally available sandboxes for 
integration testing and may lack authentication or have public 
testing accounts available. These endpoints are not intended to 
store any sensitive information, any data available via these 
endpoints is not considered as sensitive. Reports for ability to 
access these endpoints and information disclosure reports for 
these endpoints are not accepted. Another critical serverside 
vulnerabilities (RCE, SQLi, etc) are accepted under bounty 
conditions of Ext.O scope if vulnerability is specific to sandbox API 
endpoint. 


Foodplex scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


@ Eligible 


© Eligible 


@ Eligible 


ther 


ther 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection). 


Samokat 
(domain only, smart.space mobile aplication does 
not belong to Samokat) except delegated and externally hosted 
domains and branded partner services, and 
applications for iOS/Android. 


Samokat scope only awards critical serverside vulnerabilities, if 

vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 

SSRF, etc) or data outside of project's scope (e.g. personal 

information) via serverside vector. Critical 
Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection). 


Content Critical 
Content, portal, news projects (without subdomains): 


Content scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF), MitM and business logic 
specific bugs, including privilege escalations within the product 
are accepted without bounty. 


Local attacks, user enumeration on registration/recovery, open 
redirections, insufficient session expiration, cookies working after 


@ Eligible 


@ Eligible 


Biz 
except delegated and externally Critical 
hosted domains and branded partner services. 


Uchi 


À except delegated and 
externally hosted domains and branded partner services. 


Uchi scope only awards critical serverside vulnerabilities, if 

vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, Critical 
SSRF, etc) or data outside of project's scope (e.g. personal 

information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF), MitM and business logic 
specific bugs, including privilege escalations within the product 
are accepted without bounty. 


Local attacks, user enumeration on registration/recovery, open 
redirections, insufficient session expiration, cookies working after 
logout etc are not accepted unless there are additional vectors 
identified (e.g. ability to steal the session token via remote vector 
for open redirection). 


Citydrive 

Citydrive App for Android, Citydrive App for iOS, i 
except delegated and externally hosted 

domains and branded partner services. 


Citydrive scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 


information) via serverside vector. 
Critical 


Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection). 


KITCHEN Critical 
i except delegated and 


externally hosted domains and branded partner services. 


@ Eligible 


@ Eligible 


@ Eligible 


© Eligible 


Clientside vulnerabilities (XSS, CSRF), MitM and business logic 
specific bugs, including privilege escalations within the product 
are accepted without bounty. 


Local attacks, user enumeration on registration/recovery, open 
redirections, insufficient session expiration, cookies working after 
logout etc are not accepted unless there are additional vectors 
identified (e.g. ability to steal the session token via remote vector 
for open redirection). 


NATIVEROLL 
! , except delegated 


and externally hosted domains and branded partner services. 


NATIVEROLL scope only awards critical serverside vulnerabilities, 
if vulnerability compromises the infrastructure (e.g. RCE, SQLi, 
LFR, SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


ritical 
Clientside vulnerabilities (XSS, CSRF), MitM and business logic C 


specific bugs, including privilege escalations within the product 
are accepted without bounty. 


Local attacks, user enumeration on registration/recovery, open 
redirections, insufficient session expiration, cookies working after 
logout etc are not accepted unless there are additional vectors 
identified (e.g. ability to steal the session token via remote vector 
for open redirection). 


Pixonic 

War Robots (Windows in Steam and Windows in Amazon), iOS, 
Android applications, except 
delegated and externally hosted domains and branded partner 
services. 


Pixonic scope only awards critical serverside vulnerabilities, if 

vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 

SSRF, etc) or data outside of project's scope (e.g. personal 

information) via serverside vector. Critical 


Clientside vulnerabilities (XSS, CSRF), MitM and business logic 
specific bugs, including privilege escalations within the product 
are accepted without bounty. 


Local attacks, user enumeration on registration/recovery, open 
redirections, insufficient session expiration, cookies working after 
logout etc are not accepted unless there are additional vectors 
identified (e.g. ability to steal the session token via remote vector 
for open redirection). 


Ext. O: Delegated subdomain or branded partner service Medium 


@ Eligible 


@ Eligible 


xecutable 


ther 


terms and rules. Researchers must follow rules and service 
agreement published by resource being investigated. Mail.Ru 
does not authorize researcher or provide him permissions in any 
form to research third party resources for vulnerabilities, all 
permissions must be acquired by researcher directly from third 
party or partner. 


Only reports affecting Mail.ru services or customers are accepted. 


Vulnerability information for third party product or service can not 
be disclosed within Mail.Ru bug bounty program. 


Extended scope only awards critical serverside vulnerabilities, if 
vulnerability compromises the infrastructure (e.g. RCE, SQLi, LFR, 
SSRF, etc) or data outside of project's scope (e.g. personal 
information) via serverside vector. 


Clientside vulnerabilities (XSS, CSRF) and business logic specific 
bugs, including privilege escalations within the product are 
accepted without bounty. 


MitM and local attacks, user enumeration on 
registration/recovery, open redirections, insufficient session 
expiration, cookies working after logout etc are not accepted 
unless there are additional vectors identified (e.g. ability to steal 
the session token via remote vector for open redirection) 


Atom browser 
Atom browser is available from https://browser.mail.ru/ 


Atom only accepts vulnerabilities, which affect Atom and do not 
affect vanila Chromium. How to check if your vulnerability is 
applicable: 


Critical 
1. Launch Chromium current Atom release is based on (check 


browser://version page). 

2. Try to reproduce your bug in Chromium and Atom. 

3. If your bug only affects Atom, create a report. If your bug 
affects Chromium, check the latest Chromium version and, if 
it's also affected, send to Chromium bug bounty. 


Hosting None 
3rd party projects and services are not covered by bug bounty 

terms and rules. Researchers must follow rules and service 

agreement published by hosted resource being investigated. 

Mail.Ru does not authorize researcher or provide him permissions 

in any form to research third party resources for vulnerabilities, all 

permissions must be acquired by researcher directly from third 

party / Mail.Ru customer. 


User-introduced vulnerabilities in hosted services (Mail.Ru 
hosting / colocation networks, "Infra" / MCS public cloud 


© Eligible 


© Ineligible 


projects (e.g. demo product installations, staging hosts, proxy 
servers, etc) including ones hosted in MCS Hosting networks are 


covered by Ext.O Scope. 


MCS hosting infrastructure, default installations and interfaces 
are covered by MCS Scope. 


Hosting network can be identified by whois information or PTR 
name. Customer host in MCS network may have "MCS" in whois 
description or route information or ###.mcs.mail.ru PTR where 
H## is last octet from IP address, hosting or colocation networks 
are usually described as hosting or colocation in whois 
description. You can use this link to obtain the list of MCS 
customers networks (requires phone registration for MCS Infra 
Cloud Computing services). 


Alternatively, you can report any vulnerable installations, 
information on compromised hosts, botnet C&C, and another 
maliscious/suspicious activity from MCS Hosting networks to 
abuse(@mcs.mail.ru. 


Vulnerability information for third party product or service can not 
be disclosed within Mail.Ru bug bounty program. 


Out of Scope 


love.mail.ru 
omain Report love.mail.ru bugs to Wamba bug bounty program: 
http://corp.wamba.com/en/developer/security/ 


vk.com 
omain Report VKontakte (vk.com) bugs to 
https://hackerone.com/vkcom 


https://hackerone.com/ok 


ther We do not accept/review reports with: 
e Vulnerability scanners and another automated tools reports 
e Disclosure of non sensitive information, such as product version 
e Disclosure of public user information, such as nick name / screen name 
e Reports based on product/protocol version without demonstration of real vulnerability presence 
e Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking 
protection) without demonstration of real security impact for user or system 
e Reports regarding published and non-published SPF and DMARC policies 
e Logout CSRF 
e Vulnerabilities of partner products or services if Mail.Ru users / accounts are not directly affected 
e Missed SSL or another BCP for products beyond the main scope 
e Security of rooted, jailbreaked or otherwise modified devices and applications 


ok.ru 
omain Report Odnoklassniki (ok.ru) bugs to 


message) if it doesn't lead to UI spoofing, Ul behavior modification or another negative impact. 

e Same site scripting, reflected download and similar attacks with questionable impact 

e CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline 

e IDN homograph attacks 

e XSPA (IP/port scanning to external networks) 

e Excel CSV formula injection, scripting within PDF documents 

e Attack which require full access to local account or browser profile 

e Attacks with scenarios where vulnerability in a 3rd party site or application is required as a prerequisite and 
is not demonstrated 

e Theoretical attacks without proof of exploitability 

e Denial of Service vulnerabilities 

e Ability to send large amount of messages 

e Ability to send spam or malware file 

e Information disclosure via external references outside of Mail.Ru control (e.g. search dorks to private 
robots.txt protected areas) 

e Disclosure of unused or properly restricted JS API keys (e.g. API key for external map service) 

e Ability to perform an action unavailable via user interface without identified security risks 


Reports considered as informative: 
e User-introduced vulnerabilities in hosted services (Mail.Ru hosting network, MCS "Infra" public cloud 


ther 
computing hosts, gaming teams hosting, hosted student works for educational projects, etc) 
e Information on compromised accounts of external users for Mail.Ru services 
aliexpress.com / aliexpress.cn 
ther Report Alibaba (aliexpress.com / cn) bugs to 


https://hackerone.com/alibaba 


View changes Last updated on October 8, 2021. 


2 days 


Average time to first response 


2 days 


Average time to triage 


6 days 


Average time to bounty 


3 months 


Average time to resolution 


94% of reports 


Meet response standards 


Based on last 90 days 





Total bounties paid 


$200 - $300 


Average bounty range 


$2,000 - $55,000 


Top bounty range 


$162,350 


Bounties paid in the last 90 days 


534 


Reports received in the last 90 days 


8 hours ago 


Last report resolved 


4555 


Reports resolved 


1498 


Hackers thanked 


: danila 
í Reputation:2264 
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Reputation:2199 


Reputation:2164 


kwel 
Reputation:1923 


S jayesh25 
Reputation:1824 
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